A. Field
The invention relates to the reliable and unattackable generation of confirmed transaction data when carrying out security-critical transactions using usual data processing devices in a basically attackable network environment. Among other things, the invention in particular is directed to the generation of secure transaction data when payments are carried out on a personal computer via the Internet.
B. Related Art
A special problem when carrying out security-critical applications, during which a user has to effect or confirm sensible data inputs, consists in ensuring that information reproduced on a screen corresponds to information actually intended by the user. Conventional computer systems, first of all personal computers, are attackable especially via the display on the screen by generating a display, for instance with the aid of a malware smuggled into the personal computer before, which pretends to the user that an application chosen by him is carried out properly, while, actually, a different application is executed with transaction data different from those desired by the user. Such attacks become possible, because when an application is executed in a personal computer typically the same CPU controls the data exchange to the background system, to the user input unit, and to the screen. Accordingly, via the connection to the background system it is comparatively easy to intervene in the data exchange with the user input unit and the screen.
For preventing such attacks it has already been proposed to use additional devices which at least temporarily establish a secure connection between user input unit and screen. Such a solution is known from the publication of the TOWITOKO company “Chip drive monitor kit macht digitale Signatur sicherer” 1999. According to it, between the CPU of the personal computer, input unit, and screen an additional device is connected with which, while temporarily disconnecting the CPU, a direct connection between user input unit and screen can be established. The additional device has for this purpose a display preparation unit of its own as well as a monitor switch by means of which via the additional device for the purpose of inputting sensitive transaction data a direct connection between user input unit and screen is temporarily established. A user then sees on the monitor the inputs actually effected by him at the input unit. The solution permits the trustworthy generation of confirmed transaction data, but since an additional device is required it is elaborate and accordingly expensive. Moreover, the set-up and removal times of the display associated with the switching processes when the monitor switch is actuated impair the user-friendliness.
From U.S. Pat. No. 5,701.342 A a method for generating trustworthy documents in an insecure computer environment is known, here with the aid of a filter is ensured that to the user is displayed the actual content of the document. A viewed document is secured with the aid of a seal. The security of the method first of all depends on the quality of the filter. Providing an efficient filter, however, is elaborate.